Implementation of Risk Management Principles

8/6/2019 Implementation of Risk Management Principles

1/23

GHTF/SG3/N15R8

FINAL DOCUMENTTitle: Implementation of risk management principles

and activities within a Quality ManagementSystem

Authoring Group: GHTF Study Group 3

Endorsed by: The Global Harmonization Task Force

Date: May 20, 2005

Abraao Carvalho, GHTF Chair

This document was produced by the Global Harmonization Task Force, a voluntary international group of representatives from medical device regulatory authorities and trade associations from Europe, the UnitedStates of America (USA), Canada, Japan and Australia.

The document is intended to provide non-binding guidance to regulatory authorities for use in theregulation of medical devices, and has been subject to consultation throughout its development.

There are no restrictions on the reproduction, distribution or use of this document; however, incorporationof this document, in part or in whole, into any other document, or its translation into languages other thanEnglish, does not convey or represent an endorsement o f any kind by the Global Harmonization Task Force.

Copyright 2000 by the Global Harmonization Task Force


2/23

GHTF Study Group 3 SG3/N15R8 Page 2 of 23

IMPLEMENTATION OF RISK MANAGEMENT PRINCIPLES AND ACTIVITIES WITHIN AQUALITY MANAGEMENT SYSTEM

1. Introduction1.1. Purpose1.2. Scope

2. Definitions

3. General3.1. Documentation3.2. Communication

4. Management Responsibilities

5. Outsourcing

6. Planning

7. Design and Development7.1. Design and development planning7.2. Design and development input7.3. Design and development outputs7.4. Design and development review7.5. Design and development verification

7.6. Design and development validation7.7. Control of design and development changes7.8. Design and development transfer

8. Traceability

9. Purchasing Controls and Acceptance Activities9.1 Purchasing Controls9.2 Acceptance Activities

10. Production and Process Controls

10.1. Manufacturing, Measuring and Monitoring Equipment10.2. Work Environment and Personnel10.3. Process Validation

11. Servicing

12. Analysis of Data

13. Corrective and Preventive Actions (CAPA)

Annexes:Annex A An Example of a Risk Chart for Communicating Internal Risk Management

Activities


3/23


Annex B Flow Chart Risk Management Activities in Design and DevelopmentAnnex C Example of A Risk Management Summary Table


4/23


5/23


Risk management principles should be applied throughout the life cycle of medical devicesand used to identify and address safety issues. In general, risk management can becharacterized by phases of activities. The following discussion is one example of how thesephases can be described. The first phase can be the determination of levels of risk that wouldbe acceptable in the device. Manufacturers should have a procedure or policy to determine

risk acceptability criteria. These risk acceptability criteria may come from an analysis of themanufacturers own experience with similar medical devices or research on what appears tobe currently accepted risk levels by regulators, users, or patients, given the benefits derivedfrom diagnosis or treatment with the device. Risk acceptability criteria generally should bereflective of state-of-the-art in controlling risks.

The second phase can be risk analysis. This phase starts with identifying hazards that mayoccur due to characteristics or properties of the device during normal use or foreseeablemisuse. After hazards are identified, risks are estimated for each of the identified hazards,using available information.

In the third phase, the estimated risks are compared to the risk acceptability criteria. Thiscomparison will determine an appropriate level of risk reduction, if necessary. This is calledrisk evaluation. The combination of risk analysis and risk evaluation is called risk assessment.

The fourth phase can be composed of risk control and monitoring activities. Themanufacturer establishes actions, i.e. risk control measures, intended to eliminate or reduceeach risk to meet the previously determined risk acceptability criteria. Within the limits of feasibility, one or more risk control measures may be incorporated in order to achieve thisend. Risk control activities may begin as early as design input and continue through thedesign and development process, manufacturing, distribution, installation, servicing andthroughout the medical device life cycle.

Some regulatory schemes prescribe a fixed hierarchy of risk control measures that should beexamined in the following order:

Inherent safety by design; Protective measures in the device or its manufacture; Information for safety, such as warnings, etc.

Throughout the life cycle of the device the manufacturer monitors whether the risks continue

to remain acceptable and whether any new hazards or risks are discovered. Informationtypically obtained from the quality management system, for example, production, complaints,customer feedback, should be used as part of this monitoring. If at any time, a risk isdetermined to be unacceptable, the existing risk analysis should be reexamined andappropriate action taken to meet the risk acceptability criteria. If a new hazard is identified,four phases of risk management should be performed.

These activities can be performed within the framework of the quality management system.

1.1. Purpose

This guidance document is intended for educating the medical device sector. However, it isnot intended to be used to assess or audit compliance with regulatory requirements.


6/23


1.2. Scope

This document discusses and supports the implementation and integration of a risk management system within a medical device manufacturers quality management system and

provides practical explanations and examples.

2. Definitions:

Harmphysical injury or damage to the health of people, or damage to property or the environment[ISO/IEC Guide 51:1999, definition 3.1]

Hazardpotential source of harm[ISO/IEC Guide 51:1999, definition 3.5]

Residual riskrisk remaining after protective measures have been taken.[ISO/IEC Guide 51:1999, definition 3.9]

Riskcombination of the probability of occurrence of harm and the severity of that harm[ISO/IEC Guide 51:1999, definition 3.2]

Risk analysissystematic use of available information to identify hazards and to estimate the risk [ISO/IEC Guide 51:1999, definition 3.10]

Risk assessmentoverall process comprising a risk analysis and a risk evaluation[ISO/IEC Guide 51:1999, definition 3.12]

Risk controlprocess through which decisions are reached and protective measures are implemented forreducing risks to, or maintaining risks within, specified levels

[ISO 14971:2000, definition 2.16]Risk evaluation

judgment, on the basis of risk analysis, of whether a risk which is acceptable has beenachieved in a given context based on the current values of society[NOTE Based on ISO/IEC Guide 51: 1999, definitions 3.11 and 3.7]

Risk managementsystematic application of management policies, procedures and practices to the tasks of analyzing, evaluating and controlling risk [ISO 14971:2000, definition 2.18]


7/23


3. General:

3.1. Documentation

Documents or records resulting from risk management activities such as risk management

procedures, reports, etc. may be maintained or referenced in either a risk management file orother appropriate files (e.g., Design History File, Technical File/Technical Documentation,Design Dossier, Device Master Record, Device History Record, or Process Validation files).

The manufacturer should consider the benefits of integrating the risk managementprocedures, documents and records directly into the quality management system procedures,documents, and records. The advantage of this could be a single document control system,ease of use and review, accessibility, retention, etc. If a manufacturer chooses to integrate therisk management system into the quality management system, the risk management fileshould contain references or an index of where the risk management requirements aresatisfied.

Document controls, including document change controls, for risk management systemdocumentation should be the same as the controls for quality management systemdocumentation. This documentation can be in any form or type of medium.

3.2. Internal and External Communication

Within the quality management system, consideration needs to be given to internal andexternal communication throughout the entire medical device life-cycle. The type and depthof the communication should be appropriately tailored to the target audience.

Internal communication is necessary for all appropriate personnel to be aware of theremaining risks even after implementing risk control measures. Annex A provides anexample of a risk chart for communicating internal risk management activities.

External communication methods such as warning labels, user manuals, advisory notices,etc., should also be utilized to communicate necessary risk information.

4. Management Responsibilities:

Top management has a responsibility to incorporate risk management into the organization.This includes establishing risk management policies to ensure effective implementation of risk management principles and activities.

Objectives relating to device safety should be a major part of the overall quality objectives of the manufacturer. Management should also ensure that as part of quality planning, planningfor risk management activities is carried out in order to meet these objectives. These activitiesshould include:

Establishment of risk acceptability criteria Risk analysis Risk evaluation Risk control and monitoring


8/23


Management is responsible for providing sufficient resources to carry out risk managementactivities.

Management should ensure that responsibilities and authorities for risk management activities

are defined and assigned to qualified personnel, including those related to monitoring datafrom production and post-production.

Manufacturers should plan and perform internal quality audits to verify whether risk management activities and related results comply with planned and established procedures.The internal audits should ensure the continued effectiveness of the risk management system.

Management reviews of the quality management system should include information frominternal quality audits including risk management activities and related results, whereappropriate.

5. Outsourcing

A manufacturer may outsource processes (e.g. sterilization, tooling, coating processes,testing, design, manufacturing) or products (components, subassemblies or entire devices)and must maintain control over these outsourced processes and products. The manufactureris responsible for incorporating appropriate risk management activities for these processesand products by planning and by ensuring risk control measures are appropriately applied.Before the approval and implementation of a change to any outsourced process or product,the manufacturer should:

Review the change; Assess if new risks have been discovered; and, Determine if current and/or new individual residual risks and/or the overall risk is

acceptable according to the predetermined existing acceptability criteria.

If there are any risk control measures applied to outsourced process or products, the risk control measures and their importance should be documented within the purchasing data orinformation and clearly communicated to the supplier.

6. Planning:

Risk management planning needs to span the entire life cycle of a medical device. A separaterisk management plan may not be necessary if the manufacturer adequately addresses risk management within the quality management system planning activities.

7. Design and Development:

Design and development of a medical device is an evolutionary process, embracing manyengineering and management practices. Integral to activities associated with this process are

the identification and control of risks. Risk controls can be influenced by technical andbusiness feasibility considerations, as well as considerations of device functionality and


9/23


associated benefits. The objective of risk management is rarely to eliminate all risk, butrather to reduce risk to an acceptable level while maintaining feasibility and functionality.

Risk management activities should begin as early as possible in the design and developmentphase, when it is easier to prevent problems rather than correcting them later. For each

identified hazard, the risk in both normal and fault conditions is estimated. In risk evaluation,the manufacturer decides whether risk reduction is needed. The results from this risk evaluation such as the need for risk control measures then become part of the design input.

Risk control measures are part of the design output and are evaluated during designverification. This design input/output/verification cycle will iterate and continue throughoutthe overall design control process until the residual risks have been reduced to an acceptablelevel and can be maintained at an acceptable level. The overall effectiveness of risk controlmeasures is confirmed during design validation.

Relying exclusively on design and development processes to control risk is not sufficient.Even the best design and development processes can fall short of ensuring error free designoutput.

After release of the device to market, risk management activities should be linked to qualitymanagement processes, for example, production and process controls, corrective andpreventive actions (CAPA), servicing and customer feedback.

Design and development activities targeted at controlling risks should be supported bydocumentation. This documentation should relate the design activities to identified risks in away that provides objective evidence that the nature and extent of the design control isreasonable and appropriate to the degree of risk.

The flowchart depicted in Annex B shows a synopsis of the risk management activitiesoverlaid on the general design and development process as defined within a qualitymanagement system.

7.1. Design and development planning

Design and development planning should ensure that coordination of risk managementactivities is conducted during design and development. Design and development planningshould identify:

The inter-relationship(s) between appropriate risk management activities and designand development activities; and,

The needed resources, including appropriate expertise required to ensure sufficientcoverage of potential safety concerns.

7.2. Design and development input

Design and development inputs for a device are captured in one or more documents intendedto be the foundation for subsequent design and development activities. Design and

development inputs include adequate consideration of intended use and functional,performance, safety and regulatory requirements.


10/23


Risk control measures are one output from risk management activities, which should feedinto the design and development process.

Risk analysis consists of identifying hazards and the potential harms due to those hazards andestimating the risks of those harms occurring. Hazard identification starts with consideration

of the medical devices intended use, its characteristics and its environment. Risk-relateddata from post-production information for the generic type of device should be considered if it is available. In addition, risk-related information on the manufacturing methods to be usedin the production of the device should be considered. This normally results in a preliminarylist of known and foreseeable hazards. Such hazards may be found in relevant standards orother data sources such as vigilance databases, independent product test reports, etc.

The identified hazards may produce several harms, as well as, one harm may come fromseveral hazards. The probability of occurrence of the harm and its severity need to bedetermined. (See Annex A). Risks from these hazards are estimated and evaluated againstpreviously established acceptability criteria to determine whether risk controls are needed.

Any proposed changes to identified design characteristics, specifications, and/or risk controlmeasures and their associated hazards from the current risk analysis must be carefullyevaluated with respect to continued safety and specified performance of the device beforeactual implementation.

If the device is intended to be used in combination with, or installed with, or connected toanother medical device or equipment, then hazards and risk control measures should beevaluated for each device individually as well as the system or combination as a whole.

When establishing design and development inputs, the need for risk control measures shouldbe considered. When risk control measures are determined to be necessary and are initiallydefined, these become an output as part of the iterative cycle.

7.3. Design and development outputs

Risk control measures identified during the input phase must be designed and incorporatedinto the design and development output. These risk control measures will have to beevaluated as to their feasibility.

Design and development outputs are generally of three types. The first type includes

specification of the characteristics of the medical device, as well as those essential for its safeand proper use. The second type of design output relates to requirements for purchasing,production, handling, distribution and servicing. The third type includes medical deviceacceptance criteria. All types may include information essential for safe and proper use.Risk control measures may fall into any of these categories. Table 1 shows examples of eachtype of risk control measure.

Table 1

Design and development output type Examples of risk control measuresmedical device characteristics including those

essential for its safe and proper use

Compliance with IEC 60601 Over-temperature alarm Information related to any residual risk


11/23


(e.g. warning label on device, operatorsmanual, or service manual)

Redundant power source on a life-supportdevice

Interlock switch on access door of an x-raycabinet

Watchdog timer (in a microprocessor-based device)

User trainingrequirements for purchasing, production,handling, distribution and servicing

Special quality requirements in contracts Imposing stringent process controls Mandatory part replacements in planned

maintenance service intervals for processequipment or the medical device itself

Limitation of lot sizes

Environmental requirements such astemperature, pressure, humidity, etc.medical device acceptance criteria Torque specification for a threaded fastener

Dimensional tolerances for a vacuum linefitting

Contamination levels or sterilityrequirements for a device or accessory

Electrical safety performance limits (e.g.,leakage current, insulation strength)

Design outputs will include the specific risk control measures and where those risk controlmeasures will be applied.

During the design and development process, when inherent safety and/or design forprotective measures are not possible or practical, additional risk control measures such aslabeling, training and residual risk communication may be necessary design outputs. Theserisk control measures should apply to the medical device life-cycle.

7.4. Design and development review

Design and development reviews should determine if any individual residual risks as well asany overall residual risk are adequately communicated to appropriate individuals includingusers. These reviews should determine the validity of risk/benefit decisions related to theacceptance of the overall residual risk. Reviewers should have the necessary competence toassess design decisions concerning risk acceptability.

Design review procedures should define risk review tasks that should be performed atappropriate stages of design and development. Design and development reviews shouldassess, for example:

Whether all hazards have been identified, risk properly assessed and potential risk control measures identified.

The effectiveness of risk control measures for individual risks.


12/23


If design validation activities effectively assessed the overall residual risk associatedwith the use of the device by the intended user.

Whether new risk-related issues identified during the design transfer process werecontrolled and verified.

7.5. Design and development verification

Design and development verification should generate objective evidence that identified riskswere addressed, risk control measures were implemented as necessary, and risk controlmeasures were verified to be effective so that the end result meets the defined acceptabilitycriteria.

Procedures should define appropriate analytical techniques and test methods related to safetyrequirements. Procedures should ensure traceability between identified hazards, risk controlmeasures, medical device design and development requirements, test plans, and test results.

Annex C is an example of a risk management summary in a table format, which alsodemonstrates traceability.

7.6. Design and development validation

Validation confirms the medical device meets user needs, intended uses, and the overallresidual risk meets the overall acceptability criteria. To ensure risk control measures areadequately addressed in the validation plan, the plan should include sufficient numbers of allanticipated user population(s) and all intended uses to give confidence that the overallresidual risk determination is consistent with expectations. Any simulated use testing shouldbe designed to provide similar levels of confidence. Unforeseen hazards that emerge fromvalidation need to be assessed and, if necessary, controlled.

Note: Risk control measures need to be established and addressed prior to conducting clinicaltrials/investigations.

7.7. Control of design and development changes

History has repeatedly demonstrated that seemingly trivial changes may have unforeseen and

sometimes catastrophic consequences. Proposed changes to the medical device and/or itsmanufacturing processes should be evaluated for their effect(s) on the safety of the device.This evaluation should be based on criteria for risk acceptability contained in risk management and design and development records and documents.

The need for changes may arise at any time in the life cycle of the medical device. Some of these changes can introduce new hazards, eliminate existing hazards, or change the level of risk associated with a hazard. A change could be the result of many factors, including achange in a risk control measure or a re-evaluation of the original risk assessment. If achange takes place, the current risk assessment should be reviewed and updated as necessary.

Examples of such changes are: A change of material (even nominally identical material from a different supplier);


13/23


Replacement of one machine in a process by another; Seemingly trivial changes to a process may have cumulative effects; Change of suppliers; Change made by suppliers; Change of intended use or the intended user; When a device is part of a system and any single characteristic of the device or system

changes, the system as a whole should be evaluated.

Prior to implementing a proposed change, it is important to ensure that any individualresidual risk(s), as well as the overall residual risk, are defined and remain acceptable.

7.8. Design and development transfer

During design transfer the manufacturer should ensure the implementation and effectivenessof defined risk control measures. The manufacturer should ensure that existing or newlyidentified risk-related issues are resolved prior to the release of the design to production.

8. Traceability:

Risk management data should be utilized to define which devices, components, materials andwork environment conditions require traceability.

Risk management activities should be used in conjunction with regulatory requirements toestablish criteria for traceability. Points to be considered include:

Origin of components and materials; Processing history; Distribution and location of the device after delivery (to the first consignee); Intended use of the device (i.e., life sustaining, life supporting, or implantable); Probability of failure; Need for safety related updates (i.e. recalls, advisory notices, field updates, etc.); Consequence of the failure for patients, users or other persons.

In defining the records required for traceability, the manufacturer should consider all thosedevices, components, materials and work environment conditions, which could cause themedical device not to satisfy its specified requirements including its safety requirements.

9. Purchasing Controls and Acceptance Activities:

9.1. Purchasing Controls

Risk management activities should identify hazards and evaluate risks, including thosepotentially introduced by suppliers early in the product realization process.

Risk management roles and responsibilities of the manufacturer and supplier should be

defined as part of the purchasing requirements. In addition, prescribed risk control measuresderived from the risk management process during product realization should be included inthe purchasing requirements as part of the purchasing information.


14/23


Established criteria for selection, evaluation and re-evaluation of suppliers of purchasedproducts and services should also be based upon the risk associated with identified hazardsrelated to the purchased products and services determined during the risk managementprocess.

9.2. Acceptance Activities

The manufacturer should communicate risk management policies, as well as establish andimplement procedures necessary for ensuring that purchased product and services meetspecified purchase requirements. In developing the acceptance criteria for purchased productand services, results of risk management activities should be considered. Specifically, theidentified hazards and their related risk control measures need to be taken into account whendeveloping criteria for verification and acceptance activities.

10. Production and Process Controls

The manufacturing process may be a source of identified hazards. These hazards can comefrom equipment, processes, work environment, personnel, etc., or the variability of those.These hazards should have already been identified during the design and development or arediscovered during production or post-production. The risk control measures necessary toaddress these hazards need to be included in documented production and process controlprocedures.

The outcome of risk management activities may provide input to the development of appropriate methods for measuring and monitoring manufacturing processes. It is importantfor all personnel involved to understand the significance as well as the implementation of anyrisk control measures on the manufacturing processes to ensure the effectiveness of the risk control measures.

Risk assessment of manufacturing processes, using tools such as Hazard Analysis andCritical Control Points (HACCP), Hazard and Operability Study (HAZOP), Fault TreeAnalysis (FTA), Failure Modes Effect Analysis (FMEA), Process Analytical Technology(PAT), etc., can help establish or improve process controls by identifying:

What can go wrong at each step of the process;

The impact of failure on the medical device; The likelihood of the failures; and, Controls to detect and prevent the failure or causes.

Production information such as the rate of nonconformities, the rate of rework, scrap, yield,and other sources of quality data should be evaluated and or compared against the current risk management output to confirm adequacy and completeness of risk controls.

10.1. Manufacturing, Measuring and Monitoring Equipment

Establishment of the suitability of equipment and the frequency of cleaning, maintenance andcalibration should be considered with reference to the risks associated with the process.


15/23


Work instructions should also be reviewed and updated to reflect any appropriate risk controlmeasures.

10.2. Work Environment and Personnel

Where the work environment or the impact of personnel on the medical device or process aredetermined to result in risk for the products or process, then risk control measures should bedefined, documented and implemented. The effectiveness of these risk control measuresshould be periodically assessed.

10.3. Process Validation

Process validation and the determination of the need for revalidation may be influenced bythe results of risk management activities. When performing process validation, risk management tools, such as FTA, FMEA, HAZOP, HACCP, PAT, or others, should beconsidered. Results of process validation or revalidation may identify the need for additionalrisk control measures. One example may be confirming or refining specific processparameters and controls when the source of an identified hazard is process variability.

When process changes are undertaken, current risk control measures should be reviewed forsuitability. This review should also ensure that no new hazards were introduced.

11. Servicing

Servicing as used in this clause means repair and maintenance activities for medicaldevices.

When servicing is a specified requirement, information from risk management activitiesshould be considered. Periodic servicing and maintenance as a means to ensure safefunctioning of a device can be a method of risk control.

If a certain risk control measure is necessary for a production process, it may also benecessary to apply the same (or similar) risk control measure to the servicing process.

When there is a hazard to service personnel, clear instructions need to be included inservicing manuals or documentation and appropriate training provided.

12. Analysis of Data

Production and post-production information on the manufacturers own devices needs to becontinually monitored and analyzed in performing new risk assessments and revising currentrisk assessments in order to maintain an effective risk management process.

Additional sources of information to be considered include:

Information on competitors devices; Information on similar medical devices on the market; Published information (recalls, Medical Device Reports, vigilance reports, etc.);


16/23


Scientific literature.

The analysis of data should demonstrate that the decisions and risk control measuresdetermined within the risk management process are appropriate.

13. Corrective and Preventive Actions (CAPA):

Figure 1 illustrates how risk management can be integrated into the CAPA process.

Key Quality Data Points

ServiceReports

ProductComplaints

Complaints enteredinto Complaint Handling System

CAPA Process(i.e. Investigate

Cause, documentrationale for no

investigation, etc.)

ManufacturingNon-conformities/

Defects

EngineeringNon-conformities/

Defects

Quality SystemNon-conformities/Defects

Possible CAPA Actions Product Change Process Change Supplier Change Notice Field Upgrade to installed base Input for New ProductsInput to RM process start

SupplierAudits

Internal and externalAudits

PurchasedPart Non-conformities

ProductionNon- conformitiesComplaint?

Yes

No

KnownProblem?

Yes

No

Dataanalysis/trending

Action required?

No

Continue Monitoring

Yes

Risk ManagementProcess

Other ManagementData Points (1)

(1) Such as Finished Goods Returned, Credit restock(2) The relationship will depend upon the output of the investigation. This process can be iterative

(2)

Action required?

Dataanalysis/trending

Yes

No

Figure 1

The results of CAPA reviews should reveal any previously unrecognized risks and theeffectiveness of risk control measures. This information should also be utilized todetermine the effectiveness of the risk management activities and determine requiredactions to be taken to correct the identified issues and prevent recurrence.


17/23


For example, a service report indicating a safety related issue with a device is reported to amanufacturer and is determined to be a complaint. The complaint is reviewed and aninvestigation is initiated. During the investigation, it was determined that a manufacturingprocess change had occurred. Potential causes:

Unanticipated effect on the device; Inadequate assessment of the process change; Inadequate revalidation; Lack of revalidation; Inadequate risk control measures; Risk control measures not evaluated with the change;

For any combination of the above, it is expected that the risk management system use thispost market information to initiate another design risk assessment. The extent of therevised risk assessment will depend upon the complaint investigation results. The resultsof any revised risk assessment should be documented. Any new or revised risk controlmeasures will be part of the overall CAPA activities.


18/23


Annex A: An Example of a Risk Chart for Communicating Internal Risk ManagementActivities

An effective and efficient risk management process requires a manufacturer to interpret risk consistently when conducting risk management activities. Certain standards provide simple

and useful risk descriptions.

For example, the risk could be presented in a simple two-dimensional chart. Identifiedseverity and occurrence categories are defined and justified. A manufacturer may define athree-region risk chart as follows:

O-6

O-5

O-4 HIGH

O-3 MEDIUM

O-2 LOW

O-1 P r o b a b

i l i t y o f

O c c u r r e n c e o f

H a r m

O-0

S-1 S-2 S-3 S-4 S-5Severity of Harm

Legend

Severity of HarmProbability of Occurrence of

HarmS-5 Catastrophic O-6 AlwaysS-4 Critical O-5 FrequentS-3 Serious O-4 ProbableS-2 Minor O-3 OccasionalS-1 Negligible O-2 Remote

O-1 ImprobableO-0 None Observed

Such a risk chart could be used as a communication tool among appropriate personnel.


19/23


Annex B: Flow Chart Risk Management Activities in Design and Development

Design Transfer

Design and DevelopmentValidation

Design and DevelopmentVerification

Design and DevelopmentOutput

Design andDevelopmentPlanning

Design and DevelopmentInput

Design ReviewsRisk management planning for adevice based on the quality systempolicy and objectives, to include therisk acceptability criteria defined bymanagement

Intended use Functional, performance,

and safety requirements Applicable statutory and

regulatory safetyrequirements

Safety Information fromprevious, similar designs

Other requirementsessential for safety

Identify list of hazards; harms Risk estimation Risk evaluation Requirements for risk control

measures

Design,hazard and risk

assessmentreview - Is the

hazardidentification andrisk assessment

acceptable?

Design of risk controls, includingdevice and process risk controlmeasures, if necessary

Determination of individualresidual risk after theapplication of risk control

Do theindividualresidual

risks meetthe

acceptabilitycriteria?

Have any newsafety designrequirements

beenidentified

during designverificatio n

Individualresidual riskreview - Areresidual risksacceptable?

Have any newsafety designrequirements

beenidentified

during designvalidation?

Do thebenefits of

providing thedevice

outweigh therisks of usingthe device?

Does theoverall

residual riskmeet theoverall

acceptabilitycriterion?

Project cancellationor device redesign

Design transfer(including device andprocess risk controlspecifications and

requirements)

No No

No

No

No NoYes

Yes

Yes

Yes Yes

Yes

No

Yes

Are riskcontrols

measuresfeasible?

No

Yes

Note: While it is not possible to depict the iterative nature of processes within this flowchart,manufacturers should anticipate subsequent processes feeding back into prior process steps.


20/23


21/23


The third level of hazard classification is a particular cause or contributing factor. Typically,a given hazard may have multiple causes or contributing factors, combinations of which leadto similar outcomes, as shown in the example.

B. Risk Evaluation

These two columns show the results of risk evaluation before and after risk control. In thisexample, the risk level is characterized by a coding scheme using Roman numerals and lettersto denote estimates for severity and likelihood, respectively. The color or shading of the cellrepresents the manufacturers grading of risk acceptability (e.g., intolerable, undesirable,tolerable, negligible). The details of the scheme used by this manufacturer are not importantfor this example. Other manufacturers may employ different approaches to risk evaluation,but the results in any case would be summarized in these two columns.

C. Risk Control Measures

This column describes the risk control measures that form the basis for the risk reductionshown. The actual risk scenarios and risk control measures might be far more complex thanis possible to describe in a short summary paragraph. In that case, the entry in this columnmight refer to another document that describes the risk control measures in more detail.

D. Traceability Data (RqtID and TestID)

These two columns provide traceability between risk control measures, device designrequirements, and verification/validation activities. The column labeled RequirementIdentification (RqtID) points to relevant clauses in the medical device design documentationthat define requirements relating to a given risk control measure. The column labeled TestIdentification (TestID) points to clauses in test procedures or other verification andvalidation documents that confirm that the control measure was adequately implemented.

In the example, HRD refers to the devices Hardware Requirements Document, and SRDrefers to the Software Requirements Document. STP refers to the System Test Procedurefor this particular device.

E. Status Information

The last column is used during medical device development to track progress in completing

risk management activities. This example uses cell color or shading to highlight incompleteactivities.

Example of Use of the Table

As an example of how to use the risk management summary table, consider the entry forHazID 3.1.2. This entry describes the use of a keyboard lock to prevent unauthorizedchanges to device settings. The keyboard lock mechanism, as a risk control measure, was

judged to reduce risk from a level of I-B to I-D, reflecting reduced likelihood of thehazardous event. The requirement for a keyboard lock was captured in the SoftwareRequirements Document, paragraph 7.2, and the functionality of the keyboard lock was

tested in Section 17 of the System Test Procedure. The last column indicates that the resultsof this testing are not yet available.


22/23


Literature

ISO 9000:2000 Quality management systems Fundamentals and vocabulary

ISO 13485:2003 Medical devices Quality management systems Systemrequirements for regulatory purposes

ISO 14971:2000 Medical devices Application of risk management to medical devices

IEC 62366 Ed. 1 Medical Devices General requirements for safety and essentialperformance-Usability

IEC 60601-1-6:2004 Medical Electrical Equipment Part 6: General Requirements forsafety - Usability

General Principles of Software Validation; Final Guidance for Industry and for FDA Staff (FDA/CDRH, issued January 11, 2002)

http://www.fda.gov/cdrh/comp/guidance/938.html

Off-The-Shelf Software Use in Medical Devices; Guidance for Industry, FDA Reviewersand Compliance on (FDA/CDRH, issued on September 9, 1999)

http://www.fda.gov/cdrh/ode/guidance/585.html

Do It By Design - An Introduction to Human Factors in Medical Devices; (FDA/CDRH,issued December 1996)

http://www.fda.gov/cdrh/humfac/doit.html

Also Consider These Draft Documents and Resulting Final Documents:

IEC/1CD 62304 Medical device software - Software life-cycle processes(Developed by IEC/SC 62A and ISO/TC 210 JWG 3, date of

circulation 2003-01-17, closing dates for comments 2003-04-21)ISO/DTS2 19218 Medical Devices - Coding structure for event type and cause


23/23


This Page Intentionally Left Blank